The Information Commissioner’s Office (ICO) fined British Airways (BA) £ 20m ($ 26m) for failing to protect financial details of more than 400,000 of its customers
As of June 2018, the personal data of approximately 429,612 customers and employees was reportedly viewed This included the names, addresses, payment card numbers, and bank valued card verification (CVV) numbers of 244,000 BA customers
Investigators found that BA should have identified security weaknesses The carrier did not detect the hack for more than two months
The airline failed to protect its customers’ personal and financial data, which violated data protection law BA should have addressed issues with the security measures available at the time, said ICO
The watchdog found that there were « many measures » BA could have used to prevent or reduce the impact of the attack, including performing rigorous testing on its systems and protecting accounts with multi-factor authentication He said none of these measures would have involved « excessive costs or technical barriers » and that some were available through the operating system used by BA
ICO said the airline had made « significant improvements to its IT security » since the attack
In conclusion, investigators said that addressing these security concerns would have « prevented the 2018 data breach from being conducted in this manner »
As the hack happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as the lead supervisory authority under the General Regulation on data protection (RGPD)
The sanction and action have been approved by other EU data protection authorities (DPAs) as part of the GDPR cooperation process
Information Commissioner Elizabeth Denham said: “People have entrusted their personal data to BA and BA has not taken adequate measures to protect this information
« Their inability to act was unacceptable and affected hundreds of thousands of people, which may have caused anxiety and distress as a result. This is why we fined BA 20 million. pounds sterling – our largest to date
« When organizations make bad decisions about people’s personal data, it can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including by investing in up-to-date security »
BA received a notice of intention to fine from ICO in July 2019, the commissioner then said BA could be fined over £ 183million That’s more than nine times the £ 20million the carrier was ultimately fined for
The ICO said it took into account « BA’s representations and the economic impact of COVID-19 on their business » before setting the final sanction
Other details that would have been seen include the combined bank card and CVV numbers of 77,000 customers and the card numbers of only 108,000 customers
Usernames and passwords for BA employee and administrator accounts, as well as usernames and PINs of up to 612 BA Executive Club accounts have also been potentially exposed
A BA spokesperson said: “We alerted customers as soon as we learned of the criminal attack on our systems in 2018 and are sorry we did not meet our customers’ expectations
« We are pleased that the ICO acknowledges that we have significantly improved the security of our systems since the attack and that we have fully cooperated with its investigation »
British Airways data breach, Information Commissioner’s office
World news – GB – British Airways fined £ 20million for data breach affecting more than 400,000 customers
